A Mysterious Grey-Hat Is Patching People's Outdated MikroTik Routers (zdnet.com) 74
An anonymous reader quotes a report from ZDNet: A Russian-speaking grey-hat hacker is breaking into people's MikroTik routers and patching devices so they can't be abused by cryptojackers, botnet herders, or other cyber-criminals, ZDNet has learned. The hacker, who goes by the name of Alexey and says he works as a server administrator, claims to have disinfected over 100,000 MikroTik routers already. "I added firewall rules that blocked access to the router from outside the local network," Alexey said. "In the comments, I wrote information about the vulnerability and left the address of the @router_os Telegram channel, where it was possible for them to ask questions." But despite adjusting firewall settings for over 100,000 users, Alexey says that only 50 users reached out via Telegram. A few said "thanks," but most were outraged. The vigilante server administrator says he's been only fixing routers that have not been patched by their owners against a MikroTik vulnerability that came to light in late April.
Not the sysadmin they want.. (Score:5, Insightful)
Regardless, I approve of this. Bravo, Sir.
Re: (Score:2)
Re: (Score:2, Insightful)
Not the sysadmin they want but the sysadmin they deserve?
The sysadmin they deserve is Janit0r. Janit0r took devices offline permanently with BrickerBot because people couldn't be bothered to maintain and secure their devices.
Re:Not the sysadmin they want.. (Score:4, Insightful)
No, that guy is just a vandal. This guy is a hero.
Re: (Score:2)
Like the movie brazil (Score:2)
the terrorists screw up the system by fixing things so they work better.
Not the sysadmin anybody wants (Score:2)
In the end, you've had your router hacked - and it probably needs to be reset (or tossed and upgraded).
So what if the hacker's trying to do the right thing. Would anyone smart trust a random stranger out there "fixing" your router without consent? Wouldn't a black hat just say the same thing - "Fixed your router for you. And oh yeah... you're welcome!" - and slip something malicious in?
The dude is only accomplishing one thing: Getting even with lazy router owners to help other less lazy owners out. Misguide
Re:Not the sysadmin anybody wants (Score:4, Insightful)
You should reset and update your router anyways. Just because this guy didn't install malware, it doesn't mean nobody else did.
Besides, if this guy didn't get to you, then you would've never noticed your router is vulnerable and the black hats would've had all the time in the world to do damage. But since he did, at least you know there is a problem and can do something about it.
Re: (Score:2)
Problem is that updates have a cost. I don't mean development, I mean that some percentage of devices will brick. Failed updates, failed flash memory etc. Then some percentage of users will have trouble like a lost configuration that their son or daughter set up and they don't know how to fix.
As such there is little incentive for manufacturers to advertise the fact that an update is available. As long as it exists they are covered legally, but ideally (for them) no one will actually apply it.
Re: (Score:3)
outraged...but patched (Score:2, Interesting)
Re: (Score:1)
They can't log in remotely once he put the note there, so no.
Re: (Score:2)
Most people would log in to their own home routers from... home. As in, not remotely.
Re: (Score:2)
Oh, wait, I misread. Or rather, misunderstood. Disregard.
Re: (Score:2)
Re: (Score:2)
That was my first thought too, but it could also just be undereducated "power users" who had just lost remote access to their LAN without realizing the security implications of everyone else having access, too.
Ah yes, outraged... (Score:2, Informative)
When people can't admit they were morons. They are the ones who ran unsecured hardware and didn't bother patching it. They should be thanking him, he may have prevented many actual scumbags from exploiting their hardware.
Re:Ah yes, outraged... (Score:4, Interesting)
I remember once that I switched a bad security setting with the intention of switching it right back. Well, I forgot to switch it back. Thankfully a guy from 4chan hacked my system and left me a note to fix it without doing any damage. Left him a thank you note. If you're bitching about this, you're an ungrateful asshole.
BeautifulOFHeaven (Score:2)
The Hero we need, but do not deserve
Should have gotten Janit0r. (Score:3, Interesting)
I'll say it plainly, if you do not maintain your devices then anyone should be free to brick them. The obvious argument is "but it's not yours!" but this disregards that like an unvaccinated child, it puts everyone else at risk. The only alternative to this is to hack the devices so that they permanently DoS the manufacturer and sellers of the device. The situation will not improve until companies are forced to make devices secure.
Re: Should have gotten Janit0r. (Score:2)
Re: (Score:2)
So what's the line? 1 week? 1 month? 3 months? Did this get a lot of attention? Would people have reasonably heard about it by now?
Re: (Score:2)
By bricking the devices, it'll cost manufacturers a bunch of money on warranty replacements and hopefully force them to write more secure software in the future, or at least put in some mechanism for periodic updates.
Re: Should have gotten Janit0r. (Score:2)
Re: (Score:2)
> you run a device, itâ(TM)s your job to keep it up to spec, no different than a car passing annual inspection.
The problem with that line of thinking is that many devices are seen as appliances in the minds of many. This MikroTik one is a bit more of a commerical router, but similar vulnerabilities have been discovered in many off the shelf routers grandmas buy at Best Buy. It's simply not reasonable to expect your average Joe or Jane to keep the router firmware up to date when it was probably a
Re: Should have gotten Janit0r. (Score:2)
Re: (Score:2)
While I agree with the idea, the chances of that actually happening any time soon are very slim. The public sees a need to maintain cars on a road. They don't see a need to maintain routers for everyone's safety. And companies are in a desperate race to get new shiny things in consumers' hands and those things are more connected and also have new interesting gaping holes in their security. And nobody cares. Legislation has to be written to fix this. And it won't be until something very shitty happens.
Re: (Score:2)
Re: (Score:2)
A router upgrade would take 30 seconds compared to Windows 2 hours on a ssd.
Re: (Score:2)
Re: (Score:2)
No, but killing the stupid parents and vaccinating the children sounds like a plan.
Re: (Score:2)
Vaccinations should be required for all who don't have a compelling medical reason not to receive one (and no, "I don't wanna because someone famous said they were bad" doesn't count, when the actual science supports vaccination).
Or perhaps if the cause of an outbreak can be narrowed down, if it turns out to be due to lack of herd immunity, then perhaps all those in the area who refused to vaccinate should be charged with bioterrorism?
Re: (Score:3, Insightful)
I'll say it plainly, if you do not maintain your devices then anyone should be free to brick them.
I'll say it plainly, if you do not lock every single door and bolt down your windows then anyone should be free to steal your stuff.
I'll say it plainly, if you do not lock your car then anyone should be free to steal it.
I'll say it plainly, if you do not hold onto your phone every second you are out then anyone should be free to steal it.
Re:Should have gotten Janit0r. (Score:4, Insightful)
Theft is not the same thing as breaking and entering so those are bad analogies. In this case, he fixed the issue you couldn't be bothered to fix for the sake of everyone else. It's still breaking and entering, but more like a neighbor breaking in to shut the gas off before your house destroys the neighborhood. I'd look at it as a favor...then I'd wipe the device and reflash and/or replace as necessary.
Re: (Score:2)
If people understood that they would probably be grateful. Unfortunately there are a lot of tech support scams these days and people are worried about doing their banking and shopping online...
Not worried enough to really do much about it of course.
Internet devices have 8B attackers possibly (Score:2)
You make an analogy between physical devices and internet devices. Your analogy is dead wrong. Here is why:
An internet-connect device has potentially billions of attackers. Billions. Literally anyone, anywhere on the planet, any time. To contrast, someone has to show up to your door, car, phone.
Furthermore, hacking internet devices can be automated, so ONE attacker can potentially attack ALL the devices on the internet that share that vulnerability.
So your RISK on your internet connected device so far
Here's some math ... (Score:1)
... to consider:
Let's say it takes 30 minutes (being very, very generous here) to do the patch, post the blurb and stuff. Appreciate I'm ignoring the time it takes to locate these puppies.
100,000 routers X 30 minutes = 3,000,000 router-minutes ÷ 60 = 50,000 router-hours ÷ 24 = 2,083 router-days ÷ 365.25 = 5.7 router-years.
Re: (Score:2)
Can the updates run without reboot? (Score:2)
Can the updates run without reboot?
That is the one part of why they don't get updated the down time.
Re: (Score:1)
RouterOS boots quickly and has failover methods. That stuff is built for ISPs. If you don't have a redundant router that can take over while the other one reboots, you're not serious about avoiding down time anyway.
Could be worse (Score:2)
Like if you were "renting/leasing" your router from your ISP and they bricked it as a "favor" for you,
If you bought your own router:
1) Disable remote access
2) Change all the "passwords" you can. Extra points if you can change the admin account to something other than admin.
3) Get the most recent update from the vendor and apply ir to your device. Repeat step 1 and 2.
4) Create some local firewall rules, make sure nothing in your network is in an Internet reachable DMZ.
That was my honeypot ... (Score:1)
... insensitive clod!
It would not be hard (Score:2)
...to make a router that was secure against any realistic attack and still offer better throughput than anything being sold today. Reason you don't get that? It costs a little more and has to be modular, not single board.
People prefer cheap and nasty to quality, every time.
Enough Already! There is no grey here (Score:5, Insightful)
This is the Right Thing To Do! So many times the Goody Two-Shoes so called "white hats" take out the botnets but rather that do this and patch the hacked machines, they just try to disable the current botnet. And surprise, surprise within a few months all the hacked machines are back in a new botnet, more fault tolerant botnet.
It's almost like these researchers realize that doing what this unsung hero did would hurt there job security. We should all celebrate this Russian hero. We need more like him.
Really curious what the angry ones said (Score:4, Interesting)
I read the article but there was no mention of what the angry replies said... I'd be really curious to find out in what way they were angry, instead of just saying "thanks, but don't do it again".
It seems like maybe there should be something like statute of limitations, where if an exploit was older than a certain amount it was legal for others to patch it even if it broke systems.
Re:Really curious what the angry ones said (Score:5, Interesting)
Imagine you are an incompetent IT doing work remotely and you can't access it anymore. So you have your client login locally to enable that feature again and they read that message to you. Now your client knows you are incompetent too. And then when the client refuses to enable access from outside the network you actually have to leave your desk to do the work. Or find a new customer as you have now been replaced.